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DETAILED ACTION 



1. 



This action is responding to application papers filed 3-20-2007. 



2. 



Claims 1 - 34 are pending. Claims 1, 13, 23 are independent. 



Response to Remarks 



3. The following is in response to remarks dated 3-20-2007. 

3.1 Applicant argues, a web farm, (see Remarks Pages 9, 10) 

The Specification does not disclose a definition for a web farm. The Specification 
mentions that a web farm contains two (or more ?) servers and a database for session 
information storage. Therefore, the standard definition for a web farm is applied. A 
web farm is defined as, "A Web server farm, or Web farm, refers to either a Web site 
that runs off of more than one server ". 

(http://www.webopedia.eom/TERM/S/server_farm.html) The Williams prior art 
discloses an equivalent distributed data processing system as a web farm. The 
Williams prior art discloses multiple server systems utilized to process requests 
(perform requested services) from multiple client systems, (see Williams paragraph 
[0036], lines 3-4; paragraph [0037], lines 16-19: multiple servers, multiple clients) 



3.2 Applicant argues, common session database, and redirection of service requests 
between servers, (see Remarks Pages 9, 10) 
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The Williams prior art discloses a database for the storage of session management 
information, (see Williams paragraph [0037], lines 10-12; paragraph [0075], lines 12-16: 
database, storage). In addition, the Williams prior art discloses the capability to redirect 
service requests from one server to another server, A service request (despite login 
request, a service request is still processed) is redirected to a second server for service 
completion, (see Williams paragraph [0067], lines 12-18: redirection of session token 
and session information, redirection request for resources) 

The Williams prior art discloses a system and a method for secure session 
management within a collection of web server systems (web farm) using a session 
token. The claim limitations disclose that the token is renewed after each use. (see 
Specification Page 2, Paragraph [0006], lines 7-9) A session management web service 
updates the session token with each request received from a browser, (see Williams 
paragraph [0016], lines 7-13; paragraph [0016], lines 4-7: generate new encrypted 
session token and transfer) If the request must be redirected to a new server where 
the requested resource is located (see Williams paragraph [0067], lines 12-18: 
redirection of session token and session information, redirection request for resources) 
then the decrypted session token is transmitted to the new server and the session 
management web service generates a new session token to be used in place of the 
previous session token. The new session token is transmitted to the browser with the 
requested web resource. 
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The Williams prior art discloses server(s) utilized for authentication and session 
token(s) generation. The Williams prior art disclose the capability for session tokens to 
be encrypted and decrypted during session token processing, (see Williams paragraph 
[0051], lines 14-16: encryption/decryption utilized for security) Once client access 
procedures are completed, the Williams prior art processes service requests to access 
a required resource. 

The Williams prior art discloses a web farm data processing system. The Williams 
prior art discloses storage capabilities, and the capability to redirect service requests. In 
addition, the Williams prior art discloses the capability to encrypt and decrypt a session 
token. 

The referenced prior art discloses the claim limitations. 

3.3 The examiner has considered the applicant's remarks concerning a system and 
method for secure session management in a web farm utilizing a session token, which 
is updated with each request received from a browser. The capability exists for the 
redirection of a request to a new server to locate the requested resource, and 
encryption/decryption of session token(s). Applicant's arguments have thus been fully 
analyzed and considered but they are not persuasive. 

After an additional analysis of the applicant's invention, remarks, and a search of 
the available prior art, it was determined that the current set of prior art consisting of 
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Williams (20030005118) and Bachman (5,907,621) discloses the applicant's invention 
including disclosures in Remarks dated March 20, 2007. 

Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102(e) 
that form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

5. Claims 1 - 6, 9 - 18, 21 - 28, 31 - 34 are rejected under 35 U.S.C. 102(e) as 
being anticipated by Williams et al. (US PGPUB No. 200300051 1 8). 

Regarding Claims 1, 23, Williams discloses a method, computer program product of 
secure session management for a web farm, the web farm including a first server and a 
second server, the second server having a requested web page, the method comprising 
the steps of: 

a) receiving, at the first server, a request for the requested web page from a 
browser, said request including an encrypted session token; (see Williams 
paragraph [0019], lines 1-5: request processing; paragraph [0016], lines 1-4;: 
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session token; paragraph [0050], lines 10-16; paragraph [0051], lines 14-16: 
encryption utilized for security) 

b) decrypting said encrypted session token at the first server to obtain a session 
token; (see Williams paragraph [0020], lines 8-1 1 : validate (must decryption 
required to process encrypted information) session information, process 
encrypted session information) 

c) redirecting said request to the second server, including transmitting said session 
token to the second server; (see Williams paragraph [0067], lines 12-18: 
redirection of session token and session information) and 

d) verifying said session token, (see Williams paragraph [0020], lines 8-1 1 ; 
paragraph [0074], lines 7-1 1 : validate session token information, client and 
session identification information) 

Regarding Claims 2, 24, Williams discloses the method, computer program product 
claimed in claims 1 , 23, further including steps of creating a new session token, 
encrypting said new session token at the second server to produce a new encrypted 
session token, and transmitting a response to said browser from the second server, 
wherein said response includes said new encrypted session token, (see Williams 
paragraph [0016], lines 7-13; paragraph [0016], lines 4-7: generate new encrypted 
session token and transfer) 

Regarding Claims 3, 5, 15, 17, 25, 27, Williams discloses the method, system, 
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computer program product claimed in claims 2, 13, 14, 23, 24, wherein said session 
token includes a session ID and a timestamp, and wherein said step of creating a new 
session token includes generating a new session ID and updating said timestamp. (see 
Williams paragraph [0062], lines 9-16; paragraph [0050], lines 1-5: session token, 
session ID and timestamp) 

Regarding Claims 4, 16, 26, Williams discloses the method, system, computer 
program product claimed in claims 2, 14, 24, further including a step of updating a 
common session database by replacing said session token with said new session token 
in said common session database, (see Williams paragraph [0069], lines 9-15: 
database for session token information storage) 

Regarding Claims 6, 18, 28, Williams discloses the method, system, computer 
program product claimed in claims 5, 17, 27, wherein a common session database 
contains a stored session ID and a stored timestamp, and wherein said step of verifying 
includes comparing said session ID and said timestamp with said stored session ID and 
said stored timestamp. (see Williams paragraph [0069], lines 9-15: database for session 
token information storage; paragraph [0062], lines 9-16; paragraph [0050], lines 1-5: 
session token, session ID and timestamp; paragraph [0020], lines 8-1 1 : verification 
session information) 

Regarding Claims 9, 21, 31, Williams discloses the method, system, computer 
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program product claimed in claims 1,13, 23, wherein said step of transmitting includes 
incorporating said session token into a URL. (see Williams paragraph [0044], lines 8-12: 
URL processing techniques utilized) 

Regarding Claims 10, 32, Williams discloses the method, computer program product 
claimed in claims 1 , 23, wherein a session management web service performs said step 
of verifying, said session management web service being accessible to said first server 
and said second server, and wherein said step of verifying includes comparing said 
session token with stored session data, (see Williams paragraph [0020], lines 8-1 1 : 
session information verification) 

Regarding Claims 11, 33, Williams discloses the method, computer program product 
claimed in claims 10, 32, wherein the web farm further includes a common session 
database containing said stored session data, (see Williams paragraph [0013], lines 5- 
9; paragraph [0036], lines 3-4: web farms, set of interconnected web servers) 

Regarding Claims 12, 22, 34, Williams discloses the method, system, computer 
program product claimed in claims 1,13, 23, wherein said requested web page includes 
a web resource selected from the group including an applet, an HTML page, a Java 
server page, and an Active server page, (see Williams paragraph [0044], lines 3-8; 
paragraph [0042], lines 8-15: protected resource, a HTML web page) 
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Regarding Claim 13, Williams discloses a system for secure session management, the 
system being coupled to a network and receiving a request for a requested web page 
from a browser via the network, the request including an encrypted session token, the 
system comprising: 

a) a first server including a first request handler for receiving the request and 
decrypting the encrypted session token to produce a session token; (see 
Williams paragraph [0013], lines 5-9; paragraph [0050], lines 10-16: multiple 
servers, encrypted; paragraph [0020], lines 8-11: validate (i.e. must decrypt in 
order to process) session information) 

b) a second server including the requested web page; (see Williams paragraph 
[0013], lines 5-9: multiple servers; paragraph [0044], lines 3-8; paragraph [0042], 
lines 8-15: resource requested, a HTML web page) 

c) a common session database including stored session data; (see Williams 
paragraph [0069], lines 9-15: database for session token information storage) 
and 

d) a session management web service, accessible to said first server and said 
second server and including a validation component for comparing said session 
token with said stored session data; (see Williams paragraph [0020], lines 8-11: 
session verification information) 

e) wherein said first request handler redirects the request to said second server and 
transmits the session token to said second server, (see Williams paragraph 
[0067], lines 12-18: redirection capabilities) 
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Regarding Claim 14, Williams discloses the system claimed in claim 13, wherein said 
session management web service includes a token generator for creating a new 
session token for said second server, and wherein said second server includes a 
second request handler, said second request handler encrypting said new session 
token to produce a new encrypted session token and transmitting a response to said 
browser, wherein said response includes said new encrypted session token, (see 
Williams paragraph [0016], lines 7-10; paragraph [0016], lines 4-7: new session token 
generated and transferred; paragraph [0050], lines 10-16; paragraph [0051], lines 14- 
16: encrypted session token information) 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

7. Claims 7, 8, 10, 20, 29, 30 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Williams in view of Bachman et al. (US Patent No. 5,907,621). 

Regarding Claims 7, 19, 29, Williams discloses the method, system, computer 
program product claimed in claims 5, 17, 27. (see Williams paragraph [0050], lines 1-5 : 
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time parameter usage and processing) Williams does not specifically disclose a time 
out processing capability. However, Bachman discloses wherein including a step of 
determining whether a session has timed out, said step of determining including 
determining an elapsed time between said timestamp and a current server time, and 
comparing said elapsed time with a predetermined maximum time to determine whether 
said session has timed out. (see Bachman col. 1, lines 65-67: session management; 
col. 4, lines 11-17; col. 6, lines 10-19: process time out condition) 

It would have been obvious to one of ordinary skill in the art to modify Williams as 
taught by Bachman to enable the capability to process a time period expiration 
condition. One of ordinary skill in the art would have been motivated to employ the 
teachings of Bachman in order to enable the capability to create a secure 
communications session between server and client systems and avoid distracting the 
client with the placement of token information within the page, (see Bachman col. 1, 
lines 65-67: " ...An advantage of the present invention is that a secure user session 
can be established between an internet server and a browser at an unsecured client. . . . 
"; col. 2, lines 1 5-1 7: "... To avoid distracting the user, the token is carried in a field of 
the page that is normally not displayed in the presentation space. ...") 

Regarding Claims 8, 20, 30, Williams discloses the method, system, computer 
program product claimed in claims 7, 19, 29. (see Williams paragraph [0050], lines 1-5: 
time parameter usage and processing) Williams does not specifically disclose a time 
out processing capability. However Bachman discloses wherein includes a step of 
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closing said session if said session has timed out. (see Bachman col. 1 , lines 65-67: 
session management; col. 4, lines 11-17; col. 6, lines 10-19: process time out condition, 
session erased, closed) 

It would have been obvious to one of ordinary skill in the art to modify Williams as 
taught by Bachman to enable the capability to process a time period expiration 
condition. One of ordinary skill in the art would have been motivated to employ the 
teachings of Bachman in order to enable the capability to create a secure 
communications session between server and client systems and avoid distracting the 
client with the placement of token information within the page, (see Bachman col. 1 , 
lines 65-67; col. 2, lines 15-17) 

Conclusion 

Applicant's arguments filed 3-20-2007 have been fully considered but they are 
not persuasive. 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 



Application/Control Number: 10/733,326 Page 13 

Art Unit: 2136 

extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carlton V. Johnson whose telephone number is 571- 
270-1032. The examiner can normally be reached on Monday thru Friday , 8:00 - 
5:00PM EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on 571-272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Carlton V. Johnson 
Examiner 
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